Build an IT Structure for Compliance

There was a time when IT simply kept systems and apps running-"keeping the lights on," as the saying goes. As those systems became more tightly integrated with business operations and critical to their success, systems and software became indispensable. With widespread access, however, any critical data and its processing systems were made vulnerable to subversion by error, omission or malice. This was the genesis of compliance.

Generally speaking, compliance efforts ensure that an organization actually does what it says it's going to do, and that those actions have the intended results. Ideally, any measured activities map directly to a policy or regulatory requirement. Compliance measurements look at systems and networks to ensure that they're configured to fulfill policy requirements. They can also look at actions by individual users, and log those actions to generate analyses and reports. The business goals include assurance of system and information security, authorization and forensics.

Compliance is strengthened through the force of regulatory requirements like Sarbanes-Oxley and HIPAA, which mandate verifiable controls for IT-supported transactions and processes. Industries like health care, aviation and financial services all have legal or regulatory requirements that require compliance procedures. While such regulatory requirements are a major driver, organizations that practice good governance are generally within compliance in the course of supporting their own policies.

While thoughts of compliance conjure up unpleasant images of auditors and checklists, the implications of not doing it properly are enormous. If you correctly establish guidelines, compliance can be a smooth set of processes that don't interrupt the normal flow of work. Here we'll examine several compliance solutions that address different needs within an organization, such as security, access control, logging, analysis and reporting.

Shavlik Technologies: Shavlik Security Intelligence
Shavlik Security Intelligence (SSI) combines several of the company's individual point products, with significantly expanded capabilities, into a comprehensive portal for assessing your network's risk and compliance. If your first reaction was "these are the patch management guys, right?" you're on the right track. SSI goes far beyond the individual point products.

Patching is an important part of SSI. One way it defines compliance is to ensure that systems are patched according to established protocols. SSI shows the patch status of all systems in the network, and color-codes both individual systems and overall status. It also provides overviews of other areas of compliance, especially Sarbanes-Oxley requirements.

SSI also looks for malware infestations, including spyware and adware, and then generates reports for individual systems and the entire network. Unlike similar anti-malware products, SSI also checks for what it terms "non-bizware," or software not authorized by IT. For license-compliance purposes, you can easily see any unauthorized software installations.

The SSI dashboard is very easy to navigate. The primary view has four different panes, each with a customizable view of the systems' state. One pane also provides any current system alerts. The alerts are based on your policies or watermarks to adhere to compliance requirements and remain fully informed of system state.

SSI has a large number of data views. The main view shows the overall status of all systems on the network. Clicking on any pane blows up that view so that it becomes the focus of the display. That larger view lets you drill down by clicking on the top window bar and selecting one of the more detailed views provided. Those views generally break down the overall view into selected smaller sets of data. There are dozens of views on different aspects of the system state, trend and data.

[Click on image for larger view.]

Figure 1. SecureVue: The eIQnetworks SecureVue dashboard provides a color-coded status of all network devices, showing a compliance overview at a glance.

Shavlik regularly provides patch status updates, so you can be certain you have the most recent patch information available. It looks at patches beyond the OS, leveraging Shavlik's extensive patch database of enterprise applications. The company also researches trends in key legal and regulatory areas, so that it keeps the product up to date on compliance issues.

NetChk Compliance, which is another of Shavlik's products, provides security configuration management and ensures IT audit readiness. It helps you streamline your security configuration policies by leveraging existing configurations, and gives you a means of managing and mapping configurations to supporting policies.

While SSI may lack the breadth of features of some of the other compliance products, its dashboard and excellent layout of information give it the potential to make up a significant part of a more comprehensive compliance solution. SSI also provides information and analyses on problem areas its tools address, so it's more than simply a data gathering and reporting medium. If you're having difficulty managing patches, and if you have regulatory compliance needs that Shavlik covers, SSI will get you most of the way to your goals.

eIQnetworks: SecureVue
SecureVue is unique in that it combines a number of features in a single platform for an integrated approach to security, risk and audit management. It incorporates security information management (SIM) with governance, risk and compliance to both improve operational efficiency and reduce management complexity.

The breadth of coverage is impressive. SecureVue includes log management, analytics for assets, configuration, performance and vulnerability, and provides a means for monitoring and analysis of network status across a range of functions. Network and audit professionals can work from the same set of data in order to optimize network utilization and performance, and ensure the network remains in compliance with policies and regulations as well.

SecureVue does this through a comprehensive dashboard that covers security, configuration and audit. The dashboard gives you a visual way to ascertain the status of the network, including data on groups, alerts, events, devices, hosts and network topology. Several tabs on the dashboard provide ready access to different types of information and different views of that information. You can customize both the views and the information presented in those views to meet your own needs.

You can look at all IP devices on the network, either singly or in aggregate, and get essential information from each of them. You can also look at all network and system events by group, device type or individual device. You can color-code all data to give you an overall picture at a glance. Simply double-clicking on the display lets you drill down into summary data and analyses.

You can easily and visually create network policies within the Policies tab, using a visual editor and regular expressions. For example, you can create a policy that tells the software to flag you if malware attacks increase beyond a certain point. The flag can take the form of a simple notation, a big red icon or an e-mail sent to your BlackBerry. In the second case, a glance at the dashboard shows you that you have an issue.

Analysis is a big part of SecureVue. Out of the box, it gives you highly visual aggregated data from hundreds of different locations. This is the way you'd do it with homemade tools, if you only had time. You might want a slightly different display, with different data or a pie chart rather than a tabular listing. No problem. It would take minutes to customize.

The integrated approach and compliance dashboard help bring together disparate parts of the IT team that often have different goals and information needs. Like most compliance products, SecureVue monitors and analyzes but doesn't enforce policies. You still have to work with the network and servers to set policies and restrictions that meet organizational goals or legal requirements.

That limitation aside, SecureVue excels at helping you immediately understand the status of your network and systems, get details of any system or network device, and ensure network compliance policies and regulations. For anyone looking into comprehensive network management and compliance solutions, it doesn't get much better than this.

NetPro Computing: NetPro Compliance Solution
Several of NetPro's products perform compliance functions across the network and are offered collectively as the NetPro Compliance Solution. The specific NetPro products examined here include AccessManager, SecurityManager, ChangeAuditor and LogADmin.

[Click on image for larger view.]

Figure 2. NetPro: SecurityManager provides a set of built-in security policies against which it can evaluate the network.

These products help you manage network and Active Directory policies and automate recorded and verifiable processes. NetPro products also help ensure a secure and compliant networking environment by tracking all critical AD, Exchange and File Server changes in real time. They also log events for later analysis and verification. Together, they help organizations meet the compliance requirements of Sarbanes-Oxley, HIPAA, the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Management Act (FISMA), the Payment Card Industry (PCI) Data Security Standard and ISO 17999.

These tools perform the network activities reflected by their names. For example, AccessManager provides access enforcement, remediation and auditing through Active Directory. SecurityManager provides a dashboard that shows you the security status of the network and systems on the network. It provides security and audit templates you can use to centrally manage Active Directory, along with NTFS, shares, printers, services and registry settings. ChangeAuditor tracks all changes, including additions, deletions, changes of permission and other modifications made to the network administrative structure. It helps to detail who, what, when, where and why, as well as keep track of the original and current values for all changes. Lastly, LogADmin compresses and copies event logs in their original format to a central location for storage and analysis.

The net effect is a collection of products that automate specific network activities, collect and aggregate data on those activities and associated events, and report on how the results of those activities affect compliance with policies and regulations. You can focus on a particular tool that suits your needs in tracking compliance, but at the same time have the other tools collecting and analyzing data for later use.

All of these products installed easily, instantly recognized my Active Domain network and started collecting data within an hour or two after installation. I easily set up a couple of simple activities, such as setting some security restrictions on a server and a couple of user shares. Then I collected data on legitimate accesses and failed attempts, and displayed the data in a graph in SecurityManager. All of this occurred within two hours of starting the installation.

NetPro has given a lot of thought to what constitutes compliance across a Microsoft Active Directory network. The individual NetPro tools do a fine job of tracking and analyzing activities and events on a network. Probably the only downside to the NetPro approach is that it offers a collection of tools, rather than an integrated solution.

On the other hand, its piecemeal approach lets you better choose how you want to implement compliance activities across a network. It gives you more flexibility than a solution with a single larger scope. Each product provides some ability to automate a particular activity as well as reporting to satisfy compliance requirements.

If you're looking for a set of products that lets you ease into compliance assessment gradually, the NetPro suite combines automation of network-oriented tasks with a high degree of visibility and analysis of data on the network. This solution is especially strong in helping you ensure network access-as well as access to data-meets the requirements specified by your policies.